Xamarin.Essentials WebAuthenticator server side implementation redirects to login page instead of 401?
I'm trying to make sense of the WebAuthenticator documentation and sample. The goal for me is to have a server based social login in the app (oauth 2).
When using this implementation, it must be assumed that I in another Controller can use the [Authorize] attribute to require authentication. But when I do that what happens is that it tries to redirect to /Account/Login which in turn doesn't exist, giving a 404.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
namespace Sample.Server.WebAuthenticator.Controllers
{
[Route("api/[controller]")]
[ApiController]
[Authorize]
public class SampleController : ControllerBase
{
// GET: api/Sample
[HttpGet]
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
So trying the concept from the Android emulator results in the api controller url "not being found" aka 404, instead of some kind of authentication required like 401.
To test this, download the Xamarin essentials sample from above. Add a SampleController using the API read/write template. Build the Sample.Server.WebAuthenticator, set it as the only startup project and debug it. Make sure you can access /api/sample and receive a json result. Next add [Authorize] to the SampleController, and debug it. It will redirect to a missing login page.
I'm a little confused that the server sample doesn't work a little more like the Jwt article from wildermuth
What is the correct way to notify the app that it should authenticate?
The sample is not intended to authenticate against the server, even thou it looks like it. The intention is to authenticate against for example google. Then the token can be used in api calls to google. Nothing else. Even if a Jwt authentication is added, the token can't be used to an own web API.
So in order to have social authentication for an own web API, a solution able to federate, such as IdentityServer4, has to be used. ID4 would take the place of the sample server, and it would after auth against the social provider issue a token of it's own, that can be used by the app to authenticate to the own web API.